Solved

Radius authentication based on device certificates possible?

  • 15 February 2021
  • 5 replies
  • 62 views

I found a few topics from the earlier Hive Manger (pre-NG even) days that explained on how to use Radius authentication to allow devices with a domain certificate to join a domain.

However, the way it was described, it sounded as if the devices all had the same issued certificate, and were part of a certain OU in the AD domain, they would be able to join.

What we need though is the same authentication from the wireless side that we are currently running on our switches on the wired side of things.

This means, that when a client computer connects to the networkt, its individual device certificate is probed. These individual, AD-issued certificates are checked by the  Windows Radius Server that is part of the domain, and then, if they exist and are valid, the machine may enter the correct VLAN and get an IP from there. Otherwise, it will be put into the public lan with device isolation and bare minimum internet access.

Until now, we only had a user-based authentication working in tandem with the HiveManager NG / Extreme Cloud IQ. All attempts to use our Radius server rules that work for lan-based ports on the wireless side of things have not been met with any success.
Is there a guide for Aerohive/Extreme Networks devices on how to set this up on an on-premise installation of the Extreme Cloud IQVA?

icon

Best answer by tobias.protz 22 February 2021, 09:40

Just a quick followup: We have been contacted by our installation partner, and they were very helpful. We hope that we have identified the problem, it was a little hiccup easy to miss when switching from (working) client based auth to device based:
We had all the users in an access control list on the AD, but when we switched to client based auth via certificate, we did not put the clients in another acl to auth against this, instead the old user acl was left in place. We tried directly using the OU as a reference in which the client machines reside, but this didn’t work.
I hope that fixing this will fix the problem, and basically enable us to run the same settings for access via cable and wireless networks for all machines.

Thanks a lot!

View original

5 replies

Userlevel 7
Badge +1

Hello Tobias,

an AP only works as an authenticator, so it has little influence on the authentication between a WLAN client and the Radius server.  Therefore, the question is whether the authentication requests arrive at your radius at all and where it goes wrong according the logs.

Here is a little guide:

https://extremeportal.force.com/ExtrArticleDetail?an=000080402&q=xiq%20radius%20nps

Thanks a lot, 
as I said, we had user authentication already working through the Windows-Radius server, and the authentication policy we are currently using for our wired clients is using a fixed device certificate issued by the windows CA. The authentication is done via peap - could this be a problem? 

Basically what we need is a computer authentication, not a user authentication. We have it working on our LAN network, but cannot get it to work on our wirelesse setup (Extreme IQ on premise, dozens of AP250).

What we have working right now is user authentication, so all APs can work as Radius clients, their connection to our server ist working just fine.
I feel like we are just missing a little piece of the puzzle here, however all documentaries I could find for this are all for the old Hive Manager UI only.

 

Userlevel 7
Badge +1

Hello Tobias,

what can you see on the Radius if you are using PEAP on the wireless client with computer authententication?

What are the security settings on the wireless network adapter? Do you have an screenshot?

Hello Stephan,
will have to try tomorrow. I need somebody in the office to test stuff on site, most of us are working remotely at this time. So we can actually update and fix the network :D

Just a quick followup: We have been contacted by our installation partner, and they were very helpful. We hope that we have identified the problem, it was a little hiccup easy to miss when switching from (working) client based auth to device based:
We had all the users in an access control list on the AD, but when we switched to client based auth via certificate, we did not put the clients in another acl to auth against this, instead the old user acl was left in place. We tried directly using the OU as a reference in which the client machines reside, but this didn’t work.
I hope that fixing this will fix the problem, and basically enable us to run the same settings for access via cable and wireless networks for all machines.

Thanks a lot!

Reply